ldap

- LDAP as a naming repository

Description

LDAP refers to Lightweight Directory Access Protocol, which is an industry standard
for accessing directory servers. By initializing the client using ldapclient(1M) and using
the keyword ldap in the name service switch file, /etc/nsswitch.conf, Oracle Solaris
clients can obtain naming information from an LDAP server. Information such as
usernames, hostnames, and passwords are stored on the LDAP server in a Directory
Information Tree or DIT. The DIT consists of entries which in turn
are composed of attributes. Each attribute has a type and one or
more values.

Oracle Solaris LDAP clients use the LDAP v3 protocol to access naming
information from LDAP servers. The LDAP server must support the object classes
and attributes defined in RFC2307bis (draft), which maps the naming service model on
to LDAP. As an alternate to using the schema defined in RFC2307bis (draft), the
system can be configured to use other schema sets and the schema
mapping feature is configured to map between the two. Refer to the
Oracle Solaris Administration: Naming and Directory Services for more details.

The ldapclient(1M) utility can make an Oracle Solaris machine an LDAP client
by setting up the appropriate directories, files, and configuration information. The LDAP client
caches this configuration information in local cache files. This configuration information is
accessed through the ldap_cachemgr(1M) daemon. This daemon also refreshes the information in the
configuration files from the LDAP server, providing better performance and security. The
ldap_cachemgr must run at all times for the proper operation of the
naming services.

There are two types of configuration information, the information available through a
profile, and the information configured per client. The profile contains all the
information as to how the client accesses the directory. The credential information
for proxy user is configured on a per client basis and is not
downloaded through the profile.

The profile contains server-specific parameters that are required by all clients to
locate the servers for the desired LDAP domain. This information could be
the server's IP address and the search base Distinguished Name (DN), for
instance. It is configured on the client from the default profile during client
initialization and is periodically updated by the ldap_cachemgr daemon when the expiration
time has elapsed.

Client profiles can be stored on the LDAP server and can be
used by the ldapclient utility to initialize an LDAP client. Using the
client profile is the easiest way to configure a client machine. See
ldapclient(1M).

Credential information includes client-specific parameters that are used by a client. This
information could be the Bind DN (LDAP “login” name) of the client
and the password. If these parameters are required, they are manually defined
during the initialization through ldapclient(1M).

The naming information is stored in containers on the LDAP server. A
container is a non-leaf entry in the DIT that contains naming service
information. Containers are similar to maps in NIS. A default mapping between
the NIS databases and the containers in LDAP is presented below. The
location of these containers as well as their names can be overridden through
the use of serviceSearchDescriptors. For more information, see ldapclient(1M).

Database

Object Class

Container

passwd

posixAccount

ou=people,dc=...

shadowAccount

group

posixGroup

ou=Group,dc=...

services

ipService

ou=Services,dc=...

protocols

ipProtocol

ou=Protocols,dc=...

rpc

oncRpc

ou=Rpc,dc=...

hosts

ipHost

ou=Hosts,dc=...

ipnodes

ipHost

ou=Hosts,dc=...

ethers

ieee802Device

ou=Ethers,dc=...

bootparams

bootableDevice

ou=Ethers,dc=...

networks

ipNetwork

ou=Networks,dc=...

netmasks

ipNetwork

ou=Networks,dc=...

netgroup

nisNetgroup

ou=Netgroup,dc=...

aliases

mailGroup

ou=Aliases,dc=...

publickey

nisKeyObject

generic

nisObject

nisMapName=...,dc=...

printers

printerService

ou=Printers,dc=...

auth_attr

SolarisAuthAttr

ou=SolarisAuthAttr,dc=...

prof_attr

SolarisProfAttr

ou=SolarisProfAttr,dc=...

exec_attr

SolarisExecAttr

ou=SolarisProfAttr,dc=...

user_attr

SolarisUserAttr

ou=people,dc=...

The security model for clients is defined by a combination of the
credential level to be used, the authentication method, and the PAM modules
to be used. The credential level defines what credentials the client should
use to authenticate to the directory server, and the authentication method defines the
method of choice. Both these can be set with multiple values. The
Oracle Solaris LDAP supports the following values for credential level :

anonymous

proxy

self

The Oracle Solaris LDAP supports the following values for authentication method:

none

simple

sasl/CRAM-MD5

sasl/DIGEST-MD5

sasl/GSSAPI

tls:simple

tls:sasl/CRAM-MD5

tls:sasl/DIGEST-MD5

When the credential level is configured as self, DNS must be configured
and the authentication method must be sasl/GSSAPI. The hosts and ipnodes in
/etc/nsswitch.conf must be configured to use DNS, for example hosts: dns files and ipnodes: dns files.

sasl/GSSAPI automatically uses GSSAPI confidentiality and integrity options, if they are configured
on the directory server.

The credential level of self enables per-user naming service lookups, or lookups
that use the GSSAPI credentials of the user when connecting to the
directory server. Currently the only GSSAPI mechanism supported in this model is
Kerberos V5. Kerberos must be configured before you can use this credential level.
See kerberos(5) for details.

More protection can be provided by means of access control, allowing the
server to grant access for certain containers or entries. Access control is
specified by Access Control Lists (ACLs) that are defined and stored in
the LDAP server. The Access Control Lists on the LDAP server are
called Access Control Instructions (ACIs) by the the SunOne Directory Server. Each ACL
or ACI specifies one or more directory objects, for example, the cn
attribute in a specific container, one or more clients to whom you
grant or deny access, and one or more access rights that determine what
the clients can do to or with the objects. Clients can be
users or applications. Access rights can be specified as read and write,
for example. Refer to the Oracle Solaris Administration: Naming and Directory Services regarding the restrictions on ACLs and ACIs
when using LDAP as a naming repository.

A sample nsswitch.conf(4) file called nsswitch.ldap is provided in the /etc directory.
This is copied to /etc/nsswitch.conf by the ldapclient(1M) utility. This file uses
LDAP as a repository for the different databases in the nsswitch.conf file.